Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-104144

Validate that FIPS mode has not been changed

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Normal Normal
    • rhel-10.2
    • None
    • ipa-healthcheck
    • None
    • ipa-healthcheck-0.19-1.el10
    • Moderate
    • 1
    • rhel-idm-pki
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • PKI: RHELs for 10.2 and 9.8
    • Requested
    • None
    • Release Note Not Required
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      If IPA is installed when FIPS is disabled, and it is later enabled, then ipa-healthcheck will throw a lot of unclear errors. A specific check should be added to test for this condition.

      The errors look like:

      ERROR: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072907: Request id 20240828072907: Unable to retrieve cert 'auditSigningCert cert-pki-ca' from '/etc/pki/pki-tomcat/alias': Unable to find certificate
ERROR: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072908: Request id 20240828072908: Unable to retrieve cert 'ocspSigningCert cert-pki-ca' from '/etc/pki/pki-tomcat/alias': Unable to find certificate
ERROR: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072909: Request id 20240828072909: Unable to retrieve cert 'subsystemCert cert-pki-ca' from '/etc/pki/pki-tomcat/alias': Unable to find certificate
ERROR: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072910: Request id 20240828072910: Unable to retrieve cert 'caSigningCert cert-pki-ca' from '/etc/pki/pki-tomcat/alias': Unable to find certificate
ERROR: ipahealthcheck.ipa.certs.IPACertfileExpirationCheck.20240828072911: Request id 20240828072911: Unable to retrieve cert 'Server-Cert cert-pki-ca' from '/etc/pki/pki-tomcat
alias': Unable to find certificate

      It is invalid and unsupported to change the FIPS mode on a running system.

      NSS provides two soft tokens, one for FIPS and one for non-FIPS.

      The token used to generate the initial certificates is stored in the certmonger requests. That can be used to test whether the FIPS state has changed. If the certmonger token doesn't match the FIPS state then generate an error.

      Report SUCCESS if the token is stored on an HSM because we have no way of knowing the initial state.

      Upstream issue https://github.com/freeipa/freeipa-healthcheck/issues/342

              rhn-engineering-rcrit Rob Crittenden
              rhn-engineering-rcrit Rob Crittenden
              Rob Crittenden Rob Crittenden
              Sudhir Menon Sudhir Menon
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: